You are currently viewing SemiWiki as a guest which gives you limited access to the site. To view blog comments and experience other SemiWiki features you must be a registered member. Registration is fast, simple, and absolutely free so please, join our community today!

  • Restoring Digital Trust - Can China Lead the Way?

    Article: A Brief History of ClioSoft-president-xi-jinping.jpg
    I read with interest the US Chamber of Commerce’s assessment of the Made in China (MIC) 2025 plan to transform the world’s most populous nation into an Advanced Manufacturing leader. MIC 2025 covers 10 strategic industries that China identifies as critical to economic growth in the 21st century, including next-gen information technology, aviation, rail, new energy vehicles and agricultural machinery.

    The Chamber criticizes the MIC 2025 plan stating that it “leverages the power of the state to alter competitive dynamics in global markets in industries core to economic competitiveness.” The US Government report concludes that “China’s emerging legal and regulatory framework governing information technology pose serious challenges for global connectivity. Cloud computing and other digital technologies that require a seamless flow of data are already changing the nature of numerous industries, including manufacturing.” Relevant points all, but one has to wonder whether China’s motivation is solely about leveraging competitive advantage on what many consider an already unlevelled playing field, or is there something else going on here? Something far more important in the total scheme of things.

    Is it possible that what’s really driving China – or at least its secondary goal – is to abandon products that leave their nation vulnerable to foreign digital surveillance due to reliance on technology and protocols (like PKI) that were “not invented here” and that have proven to be highly vulnerable to outside threats?

    Because, let’s face it: everything digital is broken and every nation seems to be hacking and spying on its trade competitors, its enemies, and even its allies. From the Snowden revelations citing American digital misconduct, to Russians hacking John Podesta’s email and influencing the 2016 US election, to the US encouraging the world to ban Chinese manufacturer Huawei’s technology for fear of backdoors…it’s like we’re living inside a great big video game.

    Something has to change, and maybe China is – deliberately or accidentally – leading the way.

    Consider the following. As noted in the Chamber of Commerce document, China is pursuing standards that diverge from existing international ones, and is investing heavily in manufacturing its own semiconductor chips. Ask yourself, why? My bet is that the Government of China wants new standards because it can’t trust the ones that are pervasive today. Let’s be honest. PKI is an open book that isn’t protecting any government or business or person that relies on it for security. Chips are vulnerable to side channel attacks like Spectre and Meltdown, TLS isn’t secure any more – maybe it never was – and the prevailing view within the cryptographic community is that the prime numbers which are the very of foundation of RSA will soon be discovered.

    To quote Scotland’s Napier University Professor of Cryptography, Bill Buchanan, “One day, and I think it might be soon, we will wake up and RSA will be cracked. Either it will be super computers cracking the prime numbers, or it will be quantum computers, but when it happens there will be no proper identity on the Web and all the tunnels will be broken.”

    At the risk of being repetitive, something has to change and quickly.

    In MIC 2025 the Chinese government states that it needs to deploy infrastructure that is;
    1. Secure and Controllable
    2. Secure and Trustworthy
    3. Secure and Reliable

    China is betting on the adoption of the standardized SM9 cryptographic scheme to help achieve its goals. SM9 is certificate-less technology that is, for all intents and purposes, Identity-Based Encryption (IBE). And while IBE has long been used to successfully secure email (and not much else), something has changed in the IBE world, and that change is reflected in a patent granted by the US patent office in April 2014 and by the China patent office in September 2018. New, improved IBE (branded VIBE) now authenticates, meaning it verifies and validates the sender of every message, be it from a person or thing. And though this enhancement to the SM9 standard is not yet certified for use in China, interest in the technology is growing rapidly as Asia-based entities are gaining an understanding as to how VIBE can be deployed to deliver exactly what the People’s Republic of China is seeking - Controllable, Trustworthy, Reliable Security.

    Widespread deployment of VIBE-inside Hardware Security Modules, VIBE-Inside TLS, VIBE-inside chips and VIBE-inside SIM’s would allow China to create networked Digital Trust Centres that would make it impossible for any other nation to digitally invade or spy on Chinese communication. Only people and devices registered within China Trust Centres could communicate with one another. Email phishing would be impossible, man-in-the-middle attacks would disappear, the nation would have a digital barrier in place that would be impenetrable to outside threats, including surveillance. Graphically, it might look something like this.

    Article: A Brief History of ClioSoft-vibe-modern-candidate-sm9.jpg

    And if China can restore domestic Digital Trust, why can’t other countries do the same thing? I envision a world where each nation has its own “closed” digital infrastructure where the only communication possible is from authenticated sources – defined as entities (people or things) registered in each country’s Trust Centre(s). Be mindful that by merely authenticating email, we could eliminate over 90% of cyberattacks and so we have to wonder why we're still waiting on this advancement.

    Permission-based communication among nations could be granted, and in cases where the need for digital surveillance becomes a national security matter, nations could grant such access through legal or other arrangements common among allies and sometimes, even available from rival nations.

    Deployments of VIBE SM9-enabled infrastructure and applications are now being tested (piloted) with most of the activity happening in China-friendly, Singapore. And if the VIBE pilots in the works deliver on their promise, it’s highly conceivable that a large Asia-based company will help China create a digital bubble that is impervious to outside threats, and will satisfy its requirements for Controllable, Trustworthy, Reliable security.

    While apparently not by design, China appears to be on the verge of restoring national digital trust. Nations globally need to take note, and if they are smart, take steps to secure digital trust in their own countries.